Saturday, September 30, 2017

email server - Google Apps as SMTP relay?



We have linked the domain of our company to Google Apps and we also have a Kerio Connect (mail server) installed in our company which uses Google as SMTP relay. As google requires SMTP authentication we use one of our mail addresses for authentication. But it causes google to substitute "From" header with the address of the user used for authentication.



For example, we want to send email from user1@company.org. User smtp@company.org is used for SMTP authentication in SMTP Relay settings of Kerio Connect mail server. The mail gets delivered, but on recipient side it says that the message is from smtp@company.org, though it was actually sent from user1@company.org (Reply-to header is also set to smtp@company.org :( ).



In the "Sending mail from a different address" section of Gmail help there is an explanation of how I can send email from, say, user1@domain.com when user2@domain.com is used for authentication. - They say I need to sign up to Gmail with user2@ and add user1@ as another mail address I own (Mail settings -> Accounts -> "Send mail as" section). And it works. For example, when I sign up with smtp@company.org and add user1@company.org as another mail address I own, then I can send email from user1@company.org using smtp@company.org for authentication, and the recipient will see that the message is sent from user1@company.org.




But what if I have a hundred of email addresses on the domain? I don't want to add those 100 addresses in the settings.
I just want that any user (*@company.org) could send email using smtp@company.org user for authentication and I want recipient to see that the message is sent from *@company.org, not smtp@company.org.



Is there an easy way to do that?


Answer



thank you for your replies.
Although the method I described in the question works (though it's far not perfect) we have decided not to use Gmail as SMTP relay for now. For now we are using our hosting server's SMTP.


php - nginx - linux permissions interesting issue

I'd like to get some answers or suggestions to my problem.
So I'm getting a simple error:




2014/02/16 12:01:43 [error] 7384#0: *1 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 127.0.0.1,
server: localhost, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.sock:", host: "localhost"




Firstly, my nginx configuration is well done (for me - i.e. it is working well). The only problem I have is with linux permissions to files/folders. I can't understand a situation I'm in. Ok, so here is some info needed:





  • my nginx works well, with PHP and mysql configured.

  • a user used for nginx is named "nginx"

  • index index.php index.html index.htm (nginx configuration for index directive)



Here is my problem:



I have a tree like: /home/user/



home dir is: root:root with 755
user dir is: user:user with 700




I created a file named index.php in /home/user/index.php. Nginx said (/var/log/nginx/error.log) that I have no permissions. Ok, I did "usermod -a nginx -G user" and changed permissions for "user" dir to: 750 (so now nginx belongs to user's group, and can read or execute contents of the user dir). Ok, this works but not in a 100% way. If I create now a file index.html, or index.htm - nginx works in a browser! wow! yeah.. now I want to create index.php, to write some code. Boom! The file was NOT FOUND. Hmmm, that's really interesting for me, what did I do wrong? The interesting fact is, if I change user dir permissions to: 755 (from 750), nginx sees index.php. If I understand correctly, nginx goes first through the "o" permissions into /home dir (r-x). Next it needs to go into "user" dir, and as nginx user is in user's group, so nginx can make a next step to use "g" permissions (user/ dir permissions) to come in. But what is making nginx can't see index.php (and sees index.html and .htm)?



Ok, maybe my knowledge has some bugs, but I need to ask, why does it happen?

Friday, September 29, 2017

Fedora 4, Apache 2.2.0, tomcat 5.5.7, openssl 0.9.7f, SSL certificates, domain names and IP addresses



I recently became the new admin of a old system that everybody approaches with the "don't touch it or it might break" mentality. Now I am being told to "touch it, and don't break it!"



Task:
What I am supposed to do: Remove a domain name www.domain1.com from the server and replace it with www.domain2.com.



Background:

www.domain1.com uses a SSL Certificate to host a SOAP and a protected data retrieval site.
The server is long out of date. It is a Fedora 4 server with Apache 2.2.0, tomcat 5.5.7 and openssl 0.9.7f.



I am trying to:
Set up www.domain2.com on the server with an SSL certificate to allow our Business relations to access the SOAP from www.domain2.com/SOAP. We will move our other websites over then as well.



Path One:
I was looking to set up the two domains on the same IP address(1.1.1.1). To make it easy. However that doesn't look so easy or safe(see References at bottom). I found out that I don't have new enough versions of Apache or openssl to do this.



Path Two:
I decided to see what I would have to do to update them, this led to finding out that yum and apt-get are no longer have mirrors for FC4. I found versions online that I could install manually. I don't want to go that route because I doubt I could reverse the changes. I don't like putting my hopes in a silver bullet that could also kill me if I miss.




I have:




  • I have an SSL certificate for www.domain2.com.

  • www.domain2.com is pointed at the same IP as www.domain1.com (1.1.1.1).

  • I have three more IP addresses assigned to my server that I can use (1.1.1.2, 1.1.1.3 and 1.1.1.4).



Since the path I was heading down doesn't look feasible, I was thinking I could set up the www.domain2.com on 1.1.1.2. With a new install of Apache that then could also link to tomcat to give access to the SOAP.




Questions:




  • Can I set up domain2 on the current version of Apache with IP 1.1.1.2 with its certificate or do I need to install another version of Apache to run side by side?

  • How would I configure the httpd-ssl.conf file if it is in the same Apache?



The current httpd-ssl.conf (Comments removed):




   Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin


SSLSessionCache shmcb:/usr/local/apache-2.2.0/logs/ssl_scache(512000)
SSLSessionCacheTimeout 300


SSLMutex file:/usr/local/apache-2.2.0/logs/ssl_mutex

##
## SSL Virtual Host Context
##


ServerName domain1.com
ServerAdmin webmaster@www.domain1.com

DocumentRoot /www/www.domain.com
ErrorLog logs/sslerror_log
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
TransferLog logs/ssltransfer_log
JkMount /domain1app1/* ajp13
JkMount /domain1app2/* ajp13
JkMount /SOAPdomain1app3/* ajp13
JkMount /InformationRetrevaldoamin1app4/* ajp13


SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /usr/local/apache-2.2.0/conf/domain1.crt

SSLCertificateKeyFile /usr/local/apache-2.2.0/conf/domain1.key

SSLCertificateChainFile /usr/local/apache-2.2.0/conf/intermediate.crt



SSLOptions +StdEnvVars


BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0




Does anybody have any suggestions as to how to proceed? I am looking for the littlest change that is "undo able" in case I mess it up. My tool box is pretty small when it comes to these types of things. Any help would be greatly appreciated! If you have a way to go about this that I haven't thought of, please let me know. :) Oh and my boss would like me to get the ssl certificate in on Saturday during a 4 hour maintenance window. If it isn't possible I can delay till the next one.



Thanks in Advance!



Edited for readability.



References:



Multiple SSL domains on the same IP address and same port?




SSL site not using the correct IP in Apache and Ubuntu



can't install ssl certificate on apache


Answer



You shouldn't install a new Apache. Apache probably installed from RPM packages anyway, so a second Apache could only be installed by hand. In my opinion, it is better to avoid these kinds of fuss.
However, you have other options.



Option 1: You can configure your Apache to handle both sites. To do this, you need to:





  • Use the explicit IP address with the VirtualHost directive

  • and supply a NameVirtualHost directive to each of them



This is really a copy-paste from the current configuration with a few changes. Is should look like the config down here. This way www.domain1.com and www.domain2.com serves the same content, since the JkMount directives remained the same.



You should copy the current httpd-ssl.conf file before editing, so in the case I screwed up something in the config, you can copy back the original, and restart the server.



Option 2: If you need to change the domain name only, you really don't have to touch a thing. The registration of a new domain doesn't have anything to do with Apache. Once the registration is complete, the DNS servers will resolve www.domain2.com to 1.1.1.1 (what used to be www.domain1.com). Once this is done, and domain1.com is deleted, you only need to replace the ServerName directive and the certificates.




If you must have the two domains coexist, no matter how long, then goto 1.



Option 3: If you simply add a



ServerAlias www.domain2.com


line to your existing config, inside the VirtualHost definition, Apache will still serve both domains (on the same IP address). In this case, however, you can't have different certificates for the two domains.



--




Here is the modified config for Option 1:



Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/usr/local/apache-2.2.0/logs/ssl_scache(512000)

SSLSessionCacheTimeout 300

SSLMutex file:/usr/local/apache-2.2.0/logs/ssl_mutex

NameVirtualHost 1.1.1.1:443
NameVirtualHost 1.1.1.2:443

##
## SSL Virtual Host Context
##



ServerName domain1.com
ServerAdmin webmaster@www.domain1.com
DocumentRoot /www/www.domain.com
ErrorLog logs/sslerror_domain1_log
CustomLog logs/ssl_request_domain1_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
TransferLog logs/ssltransfer_domain2_log
JkMount /domain1app1/* ajp13

JkMount /domain1app2/* ajp13
JkMount /SOAPdomain1app3/* ajp13
JkMount /InformationRetrevaldoamin1app4/* ajp13

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /usr/local/apache-2.2.0/conf/domain1.crt
SSLCertificateKeyFile /usr/local/apache-2.2.0/conf/domain1.key

SSLCertificateChainFile /usr/local/apache-2.2.0/conf/intermediate_for_domain1.crt


SSLOptions +StdEnvVars


BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0




ServerName domain2.com
ServerAdmin webmaster@www.domain2.com
DocumentRoot /www/www.domain.com
ErrorLog logs/sslerror_domain2_log
CustomLog logs/ssl_request_domain2_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
TransferLog logs/ssltransfer_domain2_log


JkMount /domain1app1/* ajp13
JkMount /domain1app2/* ajp13
JkMount /SOAPdomain1app3/* ajp13
JkMount /InformationRetrevaldoamin1app4/* ajp13

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /usr/local/apache-2.2.0/conf/domain2.crt
SSLCertificateKeyFile /usr/local/apache-2.2.0/conf/domain2.key

SSLCertificateChainFile /usr/local/apache-2.2.0/conf/intermediate_for_domain2.crt


SSLOptions +StdEnvVars


BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0



Thursday, September 28, 2017

linux - Can high disk cache usage lead to external fragmentation and ultimately to page allocation failures?

We're getting page allocation failures on a Linux server (3.2 kernel). We've been told the problem is directly related to the high use of the memory for cache; this would lead to external fragmentation, and ultimately to page allocation errors. Here's an excerpt of top's output:



top - 10:45:09 up 3 days, 17:10,  0 users,  load average: 1.00, 0.97, 1.08
Tasks: 313 total, 3 running, 310 sleeping, 0 stopped, 0 zombie

Cpu(s): 7.9%us, 1.2%sy, 0.0%ni, 89.8%id, 0.2%wa, 0.0%hi, 0.9%si, 0.0%st
Mem: 8174056k total, 7948312k used, 225744k free, 278412k buffers
Swap: 2072348k total, 180k used, 2072168k free, 4676676k cached


We've been told that the problem is being mitigated by freeing the caches periodically:



echo 3 > /proc/sys/vm/drop_caches



I've been told to reduce the cache usage in order to solve the problem definitely. But I'm reluctant to believe that caching would lead to page allocation errors. I understand that memory allocated for disk caching is basically free memory (according to http://www.linuxatemyram.com) and high memory usage for caching is a good sign, actually. It would lead to external fragmentation, sure, but would the kernel fail to reclaim this space in order to satisfy an order-4 allocation request, for instance? The sample programs available at http://www.linuxatemyram.com show that an application have no problem to allocate memory in such a scenario, but would it be any different if the kernel needed to allocate the same amount of memory?

domain name system - How to Add Pointer Record in Reverse Lookup DNS Zone (Windows Server)

I want to add a pointer record in reverse lookup zone in windows 2012 Server. The pointer record should point to a delegated zone defined in a forward lookup zone.



I want to answer any DNS query: b._dns-sd._udp.0.1.168.192.in-addr.arpa PTR



My answer should be:



b._dns-sd._udp.0.1.168.192.in-addr.arpa PTR device-discovery.testzone.local.



I already have device-discovery delegation defined in testzone.local. which works fine.




Can someone please guide me how to add this PTR record in reverse lookup zone. Please comment in case of any question.



Thanks a lot.

Wednesday, September 27, 2017

file sharing - What can prevent a Server 2008 machine accessing its OWN UNC shares?

I need to set up a UNC share for my hosted dedicated server to access a share on itself. Unfortunately TFS requires a UNC share.



I am on a Windows Server 2008 Standard SP2 64bit dedicated server behind a PIX 501 firewall hosted with GoDaddy.



I just cannot get the server to access itself and get this error:





Windows cannot access \\SERVER\SHARE
Check the spelling of the name.. etc.




I've found numerous questions about this but no answer to my problem.




  • Server 2008 Standard x64 SP2

  • Workgroup - not domain

  • Windows Firewall is off


  • Computer browser service is on

  • I am trying to access \\MYMACHINE\TFS-BUILDS by typing in - or double clicking. Neither works.

  • Machine has single network card

  • Filesharing wizard says share was ok

  • Share was showing under 'Computer management'

  • Permissions are set to 'everyone' full control

  • No obvious errors in eventlog

  • Reboot didn't fix it

  • Unfortunately I cannot try to access other shares in or out of this machine because it is a hosted dedicated server and the only machine behind a hardware firewall.




The only thing left i can think of is that the hardware firewall needs to be configured. I don't think it is this because we have a 2003 Server machine behind a different hardware firewall and that one works fine.



What on earth is left?!

Tuesday, September 26, 2017

rootkit - Pull network or power? (for contianing a rooted server)



When a server gets rooted (e.g. a situation like this), one of the first things that you may decide to do is containment. Some security specialists advise not to enter remediation immediately and to keep the server online until forensics are completed. Those advises are usually for APT. It's different if you have occasional Script kiddie breaches, so you may decide to remediate (fix things) early. One of the steps in remediation is containment of the server. Quoting from Robert Moir's Answer - "disconnect the victim from its muggers".



A server can be contained by pulling the network cable or the power cable.




Which method is better?



Taking into consideration the need for:




  1. Protecting victims from further damage

  2. Executing successful forensics

  3. (Possibly) Protecting valuable data on the server




Edit: 5 assumptions



Assuming:




  1. You detected early: 24 hours.

  2. You want to recover early: 3 days of 1 systems admin on the job (forensics and recovery).

  3. The server is not a Virtual Machine or a Container able to take a snapshot capturing the contents of the servers memory.

  4. You decide not to attempt prosecuting.

  5. You suspect that the attacker may be using some form of software (possibly sophisticated) and this software is still running on the server.



Answer



If you're facing an APT, then your best option is to set up a honeypot and thoroughly investigate all traffic that flows into and out of it, in addition to monitoring the server.



The measure of going through memory is so expensive in terms of time and effort that it's usually not worthwhile unless you've tried every other method, and if you determine that it's worthwhile, it's generally best setting up a honeypot that allows you to easily dump the memory and system state to another machine on the fly so you can do analysis with less threat of being detected while the machine is up and running.



I had one situation where the attacker kept everything in memory to the degree that, except for logs, the machine looked exactly like its image once powered off and back on. They would then hack back in and start using it again because the vulnerability was still there - they didn't need to leave any backdoors for themselves. A memory evaluation could have helped here, but watching the traffic was enough in this case to identify the vulnerability quickly.



Therefore:




The only reason to avoid pulling the power and doing offline disk evaluation is if you're going to go through the pain of doing a thorough memory analysis of the threat while it's in place and operating. If you've gotten to the point where this is necessary, then there is no reason to pull either plug.



If you're not doing a memory analysis, then pulling the power plug is your best bet - pulling the ethernet (or using a shutdown command) is only going to give the attacker's software advance notice - which does matter occasionally.



So:



Pull them both, unless you're doing a memory analysis, in which case, don't pull either.


amazon web services - After changing permissions to home/ec2-user of the main volume I can no longer SSH in even after changing permissions



AS the title mentions. I was dumb enough to change the permissions of home/ec2-user recursively to 777 after which I could not log in. I then detached the volume and then attached it to another instance and changed the permission to 700 recursively of that folder. Now when I try to connect to it using the following command I get the error



     ssh -v -i  ~/Amazon-fooDev/fooDev.pem ec2-user@ec2-34-212-108-144.us-west-2.compute.amazonaws.com
OpenSSH_7.8p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/admin/.ssh/config

debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to ec2-34-212-108-144.us-west-2.compute.amazonaws.com port 22.
debug1: Connection established.
debug1: identity file /Users/admin/Amazon-fooDev/fooDev.pem type -1
debug1: identity file /Users/admin/Amazon-fooDev/fooDev.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to ec2-34-212-108-144.us-west-2.compute.amazonaws.com:22 as 'ec2-user'

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:XJWnn7TLa5feJVY7kAOUJQGmWm8J3UNQ/MM+uQZa+Sk
debug1: Host 'ec2-34-212-108-144.us-west-2.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /Users/admin/.ssh/known_hosts:1

debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey

debug1: Trying private key: /Users/admin/Amazon-fooDev/fooDev.pem
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
ec2-user@ec2-34-212-108-144.us-west-2.compute.amazonaws.com: Permission denied (publickey).


Any suggestions on what I could do to fix this problem. I wasted an entire day trying to connect to that instance and get back to the state it was originally in. Any suggestions would be appreciated. Is 700 permission for home/ec2-user correct ? or should i change it to something else ? Do u think I might be looking in the wrong direction ?



Here are a list of some of the latest permissions




[root@ip-172-31-42-113 vol1]# chmod 600 home/ec2-user/.ssh/authorized_keys
[root@ip-172-31-42-113 vol1]# ls -l
total 120
dr-xr-xr-x 2 root root 4096 Nov 17 09:05 bin
dr-xr-xr-x 4 root root 4096 Nov 17 09:05 boot
drwxr-xr-x 2 root root 4096 Feb 28 2014 cgroup
drwxr-xr-x 2 root root 4096 Aug 11 01:27 dev
drwxr-xr-x 83 root root 4096 Nov 27 01:51 etc
drwx------ 3 root root 4096 Nov 17 05:10 home
dr-xr-xr-x 7 root root 4096 Nov 17 08:48 lib

dr-xr-xr-x 10 root root 12288 Nov 17 09:05 lib64
drwxr-xr-x 2 root root 4096 Aug 11 01:26 local
drwx------ 2 root root 16384 Aug 11 01:26 lost+found
drwxr-xr-x 2 root root 4096 Jan 6 2012 media
drwxr-xr-x 2 root root 4096 Jan 6 2012 mnt
drwxr-xr-x 3 root root 4096 Aug 11 01:26 opt
drwxr-xr-x 2 root root 4096 Aug 11 01:26 proc
dr-xr-x--- 5 root root 4096 Nov 26 12:00 root
drwxr-xr-x 3 root root 4096 Nov 17 05:10 run
dr-xr-xr-x 2 root root 12288 Nov 17 09:05 sbin

drwxr-xr-x 2 root root 4096 Jan 6 2012 selinux
drwxr-xr-x 2 root root 4096 Jan 6 2012 srv
drwxr-xr-x 2 root root 4096 Aug 11 01:26 sys
drwxrwxrwt 3 root root 4096 Nov 27 03:15 tmp
drwxr-xr-x 16 root root 4096 Nov 22 23:12 usr
drwxr-xr-x 20 root root 4096 Nov 17 08:31 var
[root@ip-172-31-42-113 vol1]# cd home/ec2-user/.ssh/
[root@ip-172-31-42-113 .ssh]# ls -l
total 4
-rw------- 1 ec2-user ec2-user 391 Nov 27 01:51 authorized_keys


Answer



SSH parameter -i expects that the next parameter is the key name.



In your case -iv tells ssh to read the key from file v - not quite what you wanted :) The flow-on effect is that the next parameter (the key name) is deemed to be the host name, which it obviously can't resolve.



This will work:



ssh -v -i ~/Amazon-Permission/FooDev.pem ec2-user@ec2-...



Update after your update :)



If you did recursive chmod 700 it changed the authorized_keys mode too.
Mount the volume back to your little "helper" instance and do:



chmod 600 home/ec2-user/.ssh/authorized_keys


Update 2




Your home/ must be mode 755 and not 700. Otherwise ssh can't check open the file as ec2-user.



chmod 755 home
chmod 700 home/ec2-user home/ec2-user/.ssh
chmod 600 home/ec2-user/.ssh/authorized_keys


Hope that helps :)


Replicate parent domain active directory records to specific child domain



I have one child domain which references parent domain groups (it is a remote desktop gateway server into a restricted network segment).



This network is resitricted and only the child DC can communicate with the parent DC. Child member computers cannot perform queries to the parent domain controllers.



I believe I can set the root forest zone replication scope to 'All DNS servers in the forest that are domain controllers running Windows', and this would allow the child DC to resolve the parent domain queries, however this would push traffic everywhere.




Is there a way which I can push the root dns parent domain only for one particular child domain?


Answer



Replicating the forest root DNS zone isn't going to do anything other than let your clients in the child view DNS records for the parent.



What you want is to make the group in question a Universal Group. A Universal Security Group is replicated to all Global Catalogs in the forest, this means that a GC in your child can authoritatively answer the query without requiring a referral to the parent.


mod ssl - is it possible to use KeyChain / ssh-agent with apache?



There are a lots a question (and duplicates) on serverfault asking how restart Apache without the passphrase prompt.
Two solutions are proposed :




  • removing the password from the key

  • the apache directive that supply the key to Apache (SSLPassPhraseDialog)




This question is not a duplicate of the following one that deals with the two exposed answers:
SSL password on apache2 restart



For me it is the same level of security, not necessarily a bad one, but often a bad one.



I'm wondering if it is possible to use KeyChain and an ssh-agent to avoid storing a key without a password or a password in clear in a file, or if there are other alternatives.



This would allow restarting Apache without a passphrase, unless of course the server is rebooted.




Does any body successfully implemented it ?


Answer



No, unfortunately this is not possible. The SSH agent can only prove that you possess a certain private key, it has no functionality to either give access to that key or use it for decrypting a secret.


Monday, September 25, 2017

4gb cache RAID and 2gb cache RAID controllers VS SAS and SSD disks

I'm going to provision a server with 2 raid controllers, both controllers have the same specs but the cache, being one a 2GB cache and the other a 4GB cache controller, let call them respectively SC (small cache) and BC (big cache).



I also have 2 sets of disks: a 4-disks set with 12gbs 15k SAS disks to be setup in raid 10 and a 4 set 6gbs SSD to be set up in raid 5 (expand space at the cost of a more unreliable raid level).



db transactions will occur on ssd, while documents and mails will be stored in SAS.



My initial idea was to give more cache to SSD, but honestly I don't know if this is really useful. namely I don't really know if RAID write cache is useful at all with databases on SSD.



would like to have any insight on which cache reserve for which disk, avoiding to waste cache where not needed/useful.




thank you.

centos - Why did Linux OOM killer activate before using all of the swap?



I have a problem where my Java process gets killed by the kernel OOM killer. I'm not sure why that is happening, because according to syslog I still had free swap space:



Jan 15 08:52:24 xyz-server kernel: Free swap = 3885844kB
Jan 15 08:52:24 xyz-server kernel: Total swap = 4194296kB



I have set vm.swappiness setting to 0. I've understood that it means that kernel will swap only if it can prevent an OOM situation so I thought it would be ok. Was that a bad idea?



I'm running Centos 6 and I attached the full syslog below:



Jan 15 08:52:24 xyz-server kernel: shibd invoked oom-killer: gfp_mask=0xd0, order=1, oom_adj=0, oom_score_adj=0
Jan 15 08:52:24 xyz-server kernel: shibd cpuset=/ mems_allowed=0
Jan 15 08:52:24 xyz-server kernel: Pid: 18630, comm: shibd Tainted: G W --------------- 2.6.32-358.14.1.el6.x86_64 #1
Jan 15 08:52:24 xyz-server kernel: Call Trace:

Jan 15 08:52:24 xyz-server kernel: [] ? cpuset_print_task_mems_allowed+0x91/0xb0
Jan 15 08:52:24 xyz-server kernel: [] ? dump_header+0x90/0x1b0
Jan 15 08:52:24 xyz-server kernel: [] ? security_real_capable_noaudit+0x3c/0x70
Jan 15 08:52:24 xyz-server kernel: [] ? oom_kill_process+0x82/0x2a0
Jan 15 08:52:24 xyz-server kernel: [] ? select_bad_process+0xe1/0x120
Jan 15 08:52:24 xyz-server kernel: [] ? out_of_memory+0x220/0x3c0
Jan 15 08:52:24 xyz-server kernel: [] ? __alloc_pages_nodemask+0x8ac/0x8d0
Jan 15 08:52:24 xyz-server kernel: [] ? alloc_pages_current+0xaa/0x110
Jan 15 08:52:24 xyz-server kernel: [] ? __get_free_pages+0xe/0x50
Jan 15 08:52:24 xyz-server kernel: [] ? copy_process+0xe4/0x1450

Jan 15 08:52:24 xyz-server kernel: [] ? __do_page_fault+0x1ec/0x480
Jan 15 08:52:24 xyz-server kernel: [] ? do_fork+0x94/0x460
Jan 15 08:52:24 xyz-server kernel: [] ? sys_clone+0x28/0x30
Jan 15 08:52:24 xyz-server kernel: [] ? stub_clone+0x13/0x20
Jan 15 08:52:24 xyz-server kernel: [] ? system_call_fastpath+0x16/0x1b
Jan 15 08:52:24 xyz-server kernel: Mem-Info:
Jan 15 08:52:24 xyz-server kernel: Node 0 DMA per-cpu:
Jan 15 08:52:24 xyz-server kernel: CPU 0: hi: 0, btch: 1 usd: 0
Jan 15 08:52:24 xyz-server kernel: CPU 1: hi: 0, btch: 1 usd: 0
Jan 15 08:52:24 xyz-server kernel: CPU 2: hi: 0, btch: 1 usd: 0

Jan 15 08:52:24 xyz-server kernel: CPU 3: hi: 0, btch: 1 usd: 0
Jan 15 08:52:24 xyz-server kernel: Node 0 DMA32 per-cpu:
Jan 15 08:52:24 xyz-server kernel: CPU 0: hi: 186, btch: 31 usd: 0
Jan 15 08:52:24 xyz-server kernel: CPU 1: hi: 186, btch: 31 usd: 0
Jan 15 08:52:24 xyz-server kernel: CPU 2: hi: 186, btch: 31 usd: 0
Jan 15 08:52:24 xyz-server kernel: CPU 3: hi: 186, btch: 31 usd: 0
Jan 15 08:52:24 xyz-server kernel: Node 0 Normal per-cpu:
Jan 15 08:52:24 xyz-server kernel: CPU 0: hi: 186, btch: 31 usd: 0
Jan 15 08:52:24 xyz-server kernel: CPU 1: hi: 186, btch: 31 usd: 0
Jan 15 08:52:24 xyz-server kernel: CPU 2: hi: 186, btch: 31 usd: 0

Jan 15 08:52:24 xyz-server kernel: CPU 3: hi: 186, btch: 31 usd: 0
Jan 15 08:52:24 xyz-server kernel: active_anon:3079090 inactive_anon:392870 isolated_anon:10
Jan 15 08:52:24 xyz-server kernel: active_file:51 inactive_file:131 isolated_file:0
Jan 15 08:52:24 xyz-server kernel: unevictable:0 dirty:0 writeback:2 unstable:0
Jan 15 08:52:24 xyz-server kernel: free:30217 slab_reclaimable:13388 slab_unreclaimable:11090
Jan 15 08:52:24 xyz-server kernel: mapped:81 shmem:142 pagetables:13866 bounce:0
Jan 15 08:52:24 xyz-server kernel: Node 0 DMA free:15528kB min:68kB low:84kB high:100kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:15136kB mlocked:0kB dirty:0kB writeback:0kB mapped:0kB shmem:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? yes
Jan 15 08:52:24 xyz-server kernel: lowmem_reserve[]: 0 3000 5020 5020
Jan 15 08:52:24 xyz-server kernel: Node 0 DMA32 free:22312kB min:14224kB low:17780kB high:21336kB active_anon:2192960kB inactive_anon:559136kB active_file:0kB inactive_file:0kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:3072096kB mlocked:0kB dirty:0kB writeback:0kB mapped:0kB shmem:0kB slab_reclaimable:1228kB slab_unreclaimable:1940kB kernel_stack:616kB pagetables:716kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
Jan 15 08:52:24 xyz-server kernel: lowmem_reserve[]: 0 0 2020 2020

Jan 15 08:52:24 xyz-server kernel: Node 0 Normal free:83028kB min:53284kB low:66604kB high:79924kB active_anon:10123400kB inactive_anon:1012344kB active_file:204kB inactive_file:524kB unevictable:0kB isolated(anon):40kB isolated(file):0kB present:11505664kB mlocked:0kB dirty:0kB writeback:8kB mapped:324kB shmem:568kB slab_reclaimable:52324kB slab_unreclaimable:42420kB kernel_stack:3688kB pagetables:54748kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
Jan 15 08:52:24 xyz-server kernel: lowmem_reserve[]: 0 0 0 0
Jan 15 08:52:24 xyz-server kernel: Node 0 DMA: 2*4kB 2*8kB 1*16kB 2*32kB 1*64kB 0*128kB 0*256kB 0*512kB 1*1024kB 1*2048kB 3*4096kB = 15528kB
Jan 15 08:52:24 xyz-server kernel: Node 0 DMA32: 99*4kB 114*8kB 141*16kB 108*32kB 85*64kB 49*128kB 12*256kB 1*512kB 0*1024kB 0*2048kB 0*4096kB = 22316kB
Jan 15 08:52:24 xyz-server kernel: Node 0 Normal: 14355*4kB 455*8kB 209*16kB 118*32kB 70*64kB 27*128kB 15*256kB 2*512kB 0*1024kB 1*2048kB 0*4096kB = 83028kB
Jan 15 08:52:24 xyz-server kernel: 7840 total pagecache pages
Jan 15 08:52:24 xyz-server kernel: 7519 pages in swap cache
Jan 15 08:52:24 xyz-server kernel: Swap cache stats: add 2995034, delete 2987515, find 314611560/314790727
Jan 15 08:52:24 xyz-server kernel: Free swap = 3885844kB
Jan 15 08:52:24 xyz-server kernel: Total swap = 4194296kB

Jan 15 08:52:24 xyz-server kernel: 3670000 pages RAM
Jan 15 08:52:24 xyz-server kernel: 71979 pages reserved
Jan 15 08:52:24 xyz-server kernel: 21635 pages shared
Jan 15 08:52:24 xyz-server kernel: 3528964 pages non-shared
Jan 15 08:52:24 xyz-server kernel: [ pid ] uid tgid total_vm rss cpu oom_adj oom_score_adj name
Jan 15 08:52:24 xyz-server kernel: [ 442] 0 442 2659 2 0 -17 -1000 udevd
Jan 15 08:52:24 xyz-server kernel: [ 1109] 0 1109 17425 81 3 0 0 vmtoolsd
Jan 15 08:52:24 xyz-server kernel: [ 1253] 0 1253 23299 2 1 -17 -1000 auditd
Jan 15 08:52:24 xyz-server kernel: [ 1269] 0 1269 62464 37 1 0 0 rsyslogd
Jan 15 08:52:24 xyz-server kernel: [ 1287] 32 1287 4743 1 0 0 0 rpcbind

Jan 15 08:52:24 xyz-server kernel: [ 1323] 29 1323 5836 1 0 0 0 rpc.statd
Jan 15 08:52:24 xyz-server kernel: [ 1351] 0 1351 6290 1 1 0 0 rpc.idmapd
Jan 15 08:52:24 xyz-server kernel: [ 1372] 81 1372 5895 1 1 0 0 dbus-daemon
Jan 15 08:52:24 xyz-server kernel: [ 1383] 70 1383 7434 2 3 0 0 avahi-daemon
Jan 15 08:52:24 xyz-server kernel: [ 1384] 70 1384 7434 1 1 0 0 avahi-daemon
Jan 15 08:52:24 xyz-server kernel: [ 1423] 0 1423 113067 1 0 0 0 automount
Jan 15 08:52:24 xyz-server kernel: [ 1443] 0 1443 16563 15 3 -17 -1000 sshd
Jan 15 08:52:24 xyz-server kernel: [ 1564] 0 1564 29312 8 1 0 0 crond
Jan 15 08:52:24 xyz-server kernel: [ 1572] 0 1572 6281 1 1 0 0 oddjobd
Jan 15 08:52:24 xyz-server kernel: [ 1604] 0 1604 1014 1 0 0 0 mingetty

Jan 15 08:52:24 xyz-server kernel: [ 1606] 0 1606 1014 1 0 0 0 mingetty
Jan 15 08:52:24 xyz-server kernel: [ 1608] 0 1608 1014 1 0 0 0 mingetty
Jan 15 08:52:24 xyz-server kernel: [ 1610] 0 1610 1014 1 0 0 0 mingetty
Jan 15 08:52:24 xyz-server kernel: [ 1612] 0 1612 1014 1 0 0 0 mingetty
Jan 15 08:52:24 xyz-server kernel: [ 2942] 0 2942 258414 1 1 0 0 console-kit-dae
Jan 15 08:52:24 xyz-server kernel: [23467] 38 23467 8059 17 1 0 0 ntpd
Jan 15 08:52:24 xyz-server kernel: [27532] 0 27532 2658 2 3 -17 -1000 udevd
Jan 15 08:52:24 xyz-server kernel: [ 2172] 0 2172 65647 620 1 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [ 8027] 0 8027 1014 1 1 0 0 mingetty
Jan 15 08:52:24 xyz-server kernel: [18630] 498 18630 636245 14471 3 0 0 shibd

Jan 15 08:52:24 xyz-server kernel: [18719] 0 18719 49858 30 0 0 0 sssd
Jan 15 08:52:24 xyz-server kernel: [18720] 0 18720 74218 2279 0 0 0 sssd_be
Jan 15 08:52:24 xyz-server kernel: [18721] 0 18721 50428 56 3 0 0 sssd_nss
Jan 15 08:52:24 xyz-server kernel: [18722] 0 18722 48008 5 2 0 0 sssd_pam
Jan 15 08:52:24 xyz-server kernel: [18723] 0 18723 48703 1 3 0 0 sssd_ssh
Jan 15 08:52:24 xyz-server kernel: [18724] 0 18724 47528 4 1 0 0 sssd_sudo
Jan 15 08:52:24 xyz-server kernel: [18725] 0 18725 52553 1 2 0 0 sssd_pac
Jan 15 08:52:24 xyz-server kernel: [18749] 0 18749 15560 1 1 0 0 certmonger
Jan 15 08:52:24 xyz-server kernel: [18849] 0 18849 20820 14 1 0 0 master
Jan 15 08:52:24 xyz-server kernel: [18852] 89 18852 20883 2 0 0 0 qmgr

Jan 15 08:52:24 xyz-server kernel: [23143] 500 23143 4285995 3415938 2 0 0 java
Jan 15 08:52:24 xyz-server kernel: [23198] 0 23198 2658 2 0 -17 -1000 udevd
Jan 15 08:52:24 xyz-server kernel: [18831] 0 18831 8062 61 0 0 0 rotatelogs
Jan 15 08:52:24 xyz-server kernel: [18838] 0 18838 8062 62 0 0 0 rotatelogs
Jan 15 08:52:24 xyz-server kernel: [21841] 48 21841 104759 1396 2 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22089] 48 22089 104759 1382 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22178] 48 22178 104759 1365 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22234] 48 22234 104759 1367 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22241] 48 22241 104759 1359 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22261] 48 22261 104759 1368 2 0 0 httpd

Jan 15 08:52:24 xyz-server kernel: [22272] 48 22272 104759 1363 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22296] 48 22296 104759 1375 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22336] 48 22336 104759 1364 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22348] 48 22348 104759 1354 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22349] 48 22349 104759 1365 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22356] 48 22356 104759 1361 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22361] 48 22361 104759 1364 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22372] 48 22372 104759 1356 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22375] 48 22375 104759 1352 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22389] 48 22389 104759 1362 0 0 0 httpd

Jan 15 08:52:24 xyz-server kernel: [22390] 48 22390 104759 1360 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22397] 48 22397 104759 1357 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22398] 48 22398 104759 1359 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22401] 48 22401 104759 1358 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22430] 89 22430 20840 218 0 0 0 pickup
Jan 15 08:52:24 xyz-server kernel: [22435] 48 22435 104759 1354 1 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22441] 48 22441 104759 1348 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22457] 48 22457 104759 1345 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22461] 48 22461 104759 1337 3 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22464] 48 22464 104713 1307 0 0 0 httpd

Jan 15 08:52:24 xyz-server kernel: [22465] 48 22465 104759 1332 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22470] 48 22470 104759 1338 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22471] 48 22471 104759 1337 3 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22472] 48 22472 104759 1347 3 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22473] 48 22473 104713 1308 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22483] 48 22483 104713 1408 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22487] 48 22487 104759 1430 1 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22488] 48 22488 104713 1397 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22490] 48 22490 104759 1472 1 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22496] 48 22496 85768 1404 2 0 0 httpd

Jan 15 08:52:24 xyz-server kernel: [22497] 48 22497 85768 1404 2 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22498] 48 22498 85768 1404 2 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: [22504] 48 22504 88329 1408 0 0 0 httpd
Jan 15 08:52:24 xyz-server kernel: Out of memory: Kill process 23143 (java) score 748 or sacrifice child
Jan 15 08:52:24 xyz-server kernel: Killed process 23143, UID 500, (java) total-vm:17143980kB, anon-rss:13663732kB, file-rss:16kB

Answer



Your problem is clear anon-rss:13663732kB, the kernel allocation can sleep using GFP(GET FREE PAGE) depend of who is do the memory allocation, for example if the server is tight of memory and one user request 1M of memory, the kernel can sleep and try to free memory for satisfy the memory request, migrating the less use page in swap, but in your case the kernel try to allocate two pages creating a process do_fork, for the kernel that is critical path and it cannot sleep in that area.


Sunday, September 24, 2017

ubuntu - Unable to limit Apache server-status page to localhost




I am using Apache 2.4.18 on Ubuntu.



I want to allow reading server status only from localhost.



In /etc/apache2/mods-enabled/status.conf I have:




SetHandler server-status
Require ip 127.0.0.1




I have read https://httpd.apache.org/docs/2.4/howto/access.html and and from I belive the above configuration should be working. I have restarted Apache to ensure that new configuration is active. However the status page is still open for reading from anywhere.



In /etc/apache2/sites-enabled/mysite.conf I have:



 DocumentRoot /var/www

Require all granted




What is wrong with my configuration?


Answer



From what i can see, the virtual host config file seems to take precedence over the mod_status config file.



Actually you grant all to / within mysite.conf :




Require all granted




This results in that everyone can access /server-status.



You would have to manage permissions to /server-status in the virtual host config file itself /etc/apache2/mods-enabled/status.conf :



DocumentRoot /var/www

Require all granted



Require local



From there, whatever permissions you set in /etc/apache2/mods-enabled/status.conf they will be ignored as /etc/apache2/mods-enabled/status.conf takes precedence.


router - Specifying which external IP addresses can access port 80

UPDATE 1:



I am using Apache 2 as the webserver. Can I block access to all IP addresses except 3 from Apache?




ORIGINAL QUESTION:



I have a Linksys BEFSR41 router and have opened port 80 for development purposes. Is it possible to block access to port 80 to everyone except certain IP addresses? So port 80 should only be accessable to about 3 ip addresses from outside the internal network.



I have tried looking at the manaul for the BEFSR41, but can't seem to find what I am looking for. Or maybe, I don't understand what this type of filtering is called.

filesystems - How does Linux handle concurrent disk IO?



When a Linux server is serving many concurrent requests to read many different files, does it:





  1. Seek to File_1, read the entire file, then seek to File_2, read the entire file, then seek to File_3, etc etc


  2. Seek to File_1, read part of it (up to the readahead value?), then seek to File_2, read part of it, then seek back to File_1 where it has left off, read more of it, then seek to File_3, etc, etc




If it's the 2nd case, then the server is doing a lot more seeks than is necessary, which would slow things down significantly. In that case is there any tuning I could do?


Answer



In disk I/O there is a thing called elevator. The disk subsytem tries to avoid thrashing the disk head all over the platters. It will re-order I/O requests (when not prohibitted e.g. by a barrier) so that the head will be moving from the inside of the disk to the outside, and back, performing requested I/Os on the way.



Second thing is I/O request merging. If there are many requests within a short time window, which access different portions of the file, the I/O subsystem will try and get all the data in one go, instead of issuing several disjointed requests.




As far as tuning goes. If you are the application writer, there's a lot you can do. You can issue large, sequential I/Os, whenever you can and use fsync() et.al. when you need to be sure that the data is on the platters.



If you are a sysadmin, and you absolutely know, that the data requests of 2 apps leapfrog, and they try to read files sequentially (e.g. you have 2 DVDs being transcoded in parallel), then yes, increasing readahead should help. Otherwise you'd need to take a look at your I/O patterns and sizes, consider your RAID level (if any) and other factors, before doing any tuning. Look at what your real bottlenecks are, before you start tuning, it may be difficult to guess, what's really limiting your system.


backup - From bad sector to "damaged file" - did it for Linux/ext3, can I do it for Windows/NTFS?



When a SMART check on a disk reports a bad sector, it is important to be able to identify the file that has the bad sector - and restore it from backups. Below, I show how I did this for my Linux/ext3 VMWARE server - but does anyone know if this can be done for Windows/NTFS?



Here's how I did it for Linux/ext3: I first asked the drive to do a hardware surface scan (below the OS level, with the on-drive SMART circuits):




vserver:~# smartctl -t long /dev/sdc


I looked at the results:



vserver:~# smartctl -a /dev/sdc
...
196 Reallocated_Event_Count 0x0032 100 100 000 Old_age Always - 1
197 Current_Pending_Sector 0x0012 100 100 000 Old_age Always - 9
...

Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error
# 1 Extended offline Completed: read failure 90% 27679 591363172


So, one sector was already marked bad, 9 were marked for replacing from the "staging" sector space. More importantly, the first logical block address (LBA) that is unreadable, was 591363172.



I found the partition (and the offset inside it) that this number "translated" to:



vserver:~# fdisk -lu /dev/sdc
Device Boot Start End Blocks Id System

/dev/sdc1 32 976773119 488386544 83 Linux


The partition started at sector 32. So, the bad sector was...



vserver:~# bc -l
591363172-32+1
591363141



...at an offset of 591363141 sectors from the beginning of the partition.



Now I could find which file was "hosed":



vserver:~# tune2fs -l /dev/sdc1 | grep Block\ size
Block size: 4096


The block size of this EXT3 filesystem was 4096 bytes, so the bad sector destroyed this block in the filesystem:




vserver:~# bc -l
591363141*512/4096
73920392.62500000000000000000


And the block number (73920392) corresponded into this file:



vserver:~# debugfs
debugfs 1.41.3 (12-Oct-2008)
debugfs: open /dev/sdc1

testb 73920392
debugfs: testb 73920392
Block 73920392 marked in use
debugfs: icheck 73920392
Block Inode number
73920392 18472967
debugfs: ncheck 18472967
Inode Pathname
18472967 /path/to/filewithbadsector



And I restored that file from my backups.



Is there an equivalent procedure I can follow for Windows/NTFS?


Answer



I know you have an NTFS FS, and run windows on that FS.
I don't know if you "could" boot a live Linux to work on that driver or not.



If you can boot Linux from CD or USB,
you can use ntfsprogs. look at -




ntfscluster 

ntfsinfo


I believe ntfscluster tell you what file a particular cluster stores. I hope this puts you in the right direction.


Saturday, September 23, 2017

Apparently Unexplained Load Average




I have been experiencing very strange server load, but for no obvious reason. Could anyone explain the cause/how to debug further?






One Minute      - 22.9
Five Minutes - 17.98
Fifteen Minutes - 10.02

top - 20:34:28 up 22 days, 7:51, 0 users, load average: 22.55, 22.49, 14.51

Tasks: 131 total, 3 running, 128 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.1%us, 0.0%sy, 0.0%ni, 98.6%id, 1.3%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 2097152k total, 596576k used, 1500576k free, 0k buffers
Swap: 0k total, 0k used, 0k free, 0k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
11854 root 18 0 2444 980 720 R 2.0 0.0 0:00.01 top
11856 root 18 0 2444 988 720 R 2.0 0.0 0:00.01 top
1 root 15 0 2156 592 564 S 0.0 0.0 0:10.26 init
3393 apache 18 0 50276 33m 1888 S 0.0 1.6 0:00.00 httpd

3445 pegpro 18 0 17872 3304 2368 D 0.0 0.2 0:00.03 php-cgi
3446 root 18 0 5040 1056 852 S 0.0 0.1 0:00.00 crond
3723 apache 15 0 50276 33m 1896 S 0.0 1.6 0:00.01 httpd
3735 pegpro 18 0 17872 3308 2368 D 0.0 0.2 0:00.03 php-cgi
3752 root 18 0 9152 2068 1740 S 0.0 0.1 0:00.01 dataskq
3956 root 18 0 5040 1128 852 S 0.0 0.1 0:00.00 crond
5138 root 18 0 20380 15m 1712 S 0.0 0.8 0:00.05 lfd
5279 root 18 0 9152 2084 1752 S 0.0 0.1 0:00.05 dataskq
5331 root 18 0 5040 1108 852 S 0.0 0.1 0:00.00 crond
5496 admin 18 0 17872 3308 2368 D 0.0 0.2 0:00.01 php-cgi

5637 root 18 0 9152 2080 1752 S 0.0 0.1 0:00.01 dataskq
5641 apache 16 0 50276 33m 1896 S 0.0 1.6 0:00.03 httpd
5648 root 18 0 49988 33m 2036 S 0.0 1.6 0:00.67 httpd
5702 apache 18 0 50280 33m 1820 S 0.0 1.6 0:00.03 httpd
5851 admin 18 0 17872 3304 2368 D 0.0 0.2 0:00.01 php-cgi
7256 mail 16 0 10364 2700 2176 D 0.0 0.1 0:00.02 exim
7287 apache 15 0 50276 33m 1876 S 0.0 1.6 0:00.00 httpd
7379 root 18 0 5040 1128 860 S 0.0 0.1 0:00.02 crond
7474 apache 16 0 50280 33m 1836 S 0.0 1.6 0:00.00 httpd






One Minute      - 22.9
Five Minutes - 17.98
Fifteen Minutes - 10.02

top - 20:34:28 up 22 days, 7:51, 0 users, load average: 22.51, 22.49, 14.55
Tasks: 131 total, 3 running, 128 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.1%us, 0.0%sy, 0.0%ni, 98.6%id, 1.3%wa, 0.0%hi, 0.0%si, 0.0%st

Mem: 2097152k total, 596576k used, 1500576k free, 0k buffers
Swap: 0k total, 0k used, 0k free, 0k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
11856 root 18 0 2444 988 720 R 2.0 0.0 0:00.01 top
1 root 15 0 2156 592 564 S 0.0 0.0 0:10.26 init
3393 apache 18 0 50276 33m 1888 S 0.0 1.6 0:00.00 httpd
3445 pegpro 18 0 17872 3304 2368 D 0.0 0.2 0:00.03 php-cgi
3446 root 18 0 5040 1056 852 S 0.0 0.1 0:00.00 crond
3723 apache 15 0 50276 33m 1896 S 0.0 1.6 0:00.01 httpd

3735 pegpro 18 0 17872 3308 2368 D 0.0 0.2 0:00.03 php-cgi
3752 root 18 0 9152 2068 1740 S 0.0 0.1 0:00.01 dataskq
3956 root 18 0 5040 1128 852 S 0.0 0.1 0:00.00 crond
5138 root 18 0 20380 15m 1712 S 0.0 0.8 0:00.05 lfd
5279 root 18 0 9152 2084 1752 S 0.0 0.1 0:00.05 dataskq
5331 root 18 0 5040 1108 852 S 0.0 0.1 0:00.00 crond
5496 admin 18 0 17872 3308 2368 D 0.0 0.2 0:00.01 php-cgi
5637 root 18 0 9152 2080 1752 S 0.0 0.1 0:00.01 dataskq
5641 apache 16 0 50276 33m 1896 S 0.0 1.6 0:00.03 httpd
5648 root 18 0 49988 33m 2036 S 0.0 1.6 0:00.67 httpd

5702 apache 18 0 50280 33m 1820 S 0.0 1.6 0:00.03 httpd
5851 admin 18 0 17872 3304 2368 D 0.0 0.2 0:00.01 php-cgi
7256 mail 16 0 10364 2700 2176 D 0.0 0.1 0:00.02 exim
7287 apache 15 0 50276 33m 1876 S 0.0 1.6 0:00.00 httpd
7379 root 18 0 5040 1128 860 S 0.0 0.1 0:00.02 crond
7474 apache 16 0 50280 33m 1836 S 0.0 1.6 0:00.00 httpd
7550 apache 18 0 50276 33m 1924 S 0.0 1.6 0:00.00 httpd

Answer



If you look at both top outputs you'll notice a fair number of processes in state(S) 'D'. This means they are waiting for disk io. In most modern UNIX environments the load average number is a combination of both runable processes(waiting for CPU) and processes waiting for disk io. It appears as if your server has probably saturated the available IO subsystem for the demand placed on it. You can verify this with tools like iostat (try to add the iostat or sysstat packages on your system). Then run:




# iostat -x 1


and watch for the busy %


virtualization - Free tiered storage automation in linux?

I have a couple virtualized fileservers running in QEMU/KVM on ProxmoxVE.




The physical host has 4 storage tiers with significant performance variances. They're attached both locally and via NFS.



These will be provided to the fileserver(s) as local disks, abstracted into pools, and handling multiple streams of data for the network. My aim is for this abstraction layer to intelligently pool the tiers.



There's a similar post on the site here:
Home-brew automatic tiered storage solutions with Linux? (Memory -> SSD -> HDD -> remote storage) in which the accepted answer was a suggestion to abandon a linux solution for NexentaStor.



I like the idea of running NexentaStor. It almost fits the bill.



NexentaStor provides Hybrid Storage Pools, and I love the idea of checksumming. 16TB without incurring licensing fees is a huge plus as well.

After the expense of the hardware, free is about all my budget can handle.



I don't know if zfs pools are adaptive or dynamically allocated based on load, but it becomes irrelevant since NexentaStor doesn't support virtio network or block drivers, which is a must in my environment.



Then I saw a commercial solution called SmartMove: http://www.enigmadata.com/smartmove.html



And it looks like a step in the right direction, but I'm so broke I'd be wasting their time to even ask for a quote, so I'm looking for another option.



I'm after a linux implementation that supports virtio drivers, and I'm at a loss as to which software is up to it.

Friday, September 22, 2017

linux - Restrict FTP account access down to several directories



Is there any way, to restrict access to SSH and FTP account down to only several directories.



For example on our VPS we have some paths like:



@project root/proj1
@project root/proj2

@project root/proj3


And i want that user1 could access all three, user2 only second and user3 only first and second. Moreover is there any way to show to users only directories allowed to access?



I mean, if for example there are such directorys as:



/var/www/project
/var/www/project2
/var/www/project3



And user might go only to project and project2, but not to project3. So he could access /var/www, but not /var.



P.S. We have DirectAdminand Debian Squeeze.


Answer



You can do this by making symlinks to the real locations in each users' home directory, and restricting FTP access to the home directory only.



ProFTPd can do this, among others.


Thursday, September 21, 2017

partition - BI Server raid/array configuration

I'm currently maintaining a BI server that crunches numbers for reports etc. It is running on a HP ProLiant 360DL G5 32gb ram with a Smart Array p800 connected to a MSA Unit with 750 GB in RAID 1+0 (total 1.5 TB, each disk is 72GBx22 disk). The server it self has 136 GB for OS and 3 logical partitions for Database (293 GB), StageDatabase (292 GB) and DWHDatabase (165 GB). I've been asked to assign each of these partitions to physical disks in the MSA unit, is this possible? Furthermore, I've read that best practice for SQL Servers should be that I change the raid for the OS to Raid 1, and the raid for the data should be raid 1+0?



The primary question here is, how do I map the logical drives to the physical drives?




I'm sorry if it's a stupid question, server setup is quite new to me.

VMWare fusion NAT + host tunnel; access from vm

I'm having trouble accessing a port on my OSX host from a vm.



I'm using NAT in VMware fusion. In my (OSX host) hosts file, I have the ip address for vmnet8 mapped to 'mac'.



From my vm, I can 'ssh user@mac' and it works as expected: I am logged into the host. So, my hosts file is working.




I have a tunnel from my OSX host to an Oracle server at work. I can use the tunnel (localhost:6004) from the host no problem. However if I try to use the name 'mac' instead of 'localhost' this does not work. As a result, I am not able to access the tunnel from the vm, either. (I can't use the localhost name from the vm, obviously).



Why isn't the tunnel accessible using 'mac', while ssh works fine?

centos - sendmail not sending mails to @samedomain (target mail is on google apps)




I've set up sendmail to just send out mails from our php web application.
That works fine, as long as we are not sending mail to the same domain as our web app.



e.g.



our app = www.ourapp.com
sending mails works perfectely, except for anything@ourapp.com"



I don't know if it's relevant, but our target email is hosted with google apps.

Sendmail queue is empty and the log files always say the message has been sent



we are running CentOS as our OS


Answer



this problem has solved itself after 1-2 days. It probably just was a DNS update issue, where we got the updated data already, but perhaps the mailservers we have been tested still had old DNS cache.



thanks all for the help on this one


Wednesday, September 20, 2017

openssl - Trying to connect to LDAPS (Windows active directory) but keep receiving Verify return code: 20 (unable to get local issuer certificate) error

I've been given a certificate by the person who runs our Active Directory server so I can use LDAPS but I can't get it to work. When verifying with openssl:




openssl s_client -connect domain.com:636 -CAfile  ~/filename.pem


I just get Verify return code: 20 (unable to get local issuer certificate) every time.



I'm wondering if the server is misconfigured because I have tried to get the certificate straight from the server like this (from Ubunutu 16.04 client):



openssl s_client -host domain.com -port 636 -prexit -showcerts



And I get the same error message even with that.



Whereas if I type:



openssl s_client -host google.com -port 443 -prexit -showcerts


I get Verify return code: 0 (ok)




I've tried copying certificates into /etc/ssl/certs. I've tried using -CApath and -CAfile to give various certificates to the server.



Really I'm asking if the error code 20 in response to an openssl with -showcerts means that the server really is misconfigured or if I'm just not doing it right, because I'd hate to spend more time on the client when it's the server that's misbehaving.



openssl x509 -noout -text -in filename.pem



returns (with some redactions):



Certificate:




Data:

Version: 3 (0x2)
Serial Number:
xxxxxxxxxxxxxxxx
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=My organisation RootCA
Validity
Not Before: May 20 13:11:34 2016 GMT
Not After : May 20 13:21:34 2021 GMT

Subject: DC=org, DC=example, CN=My organisation Issuing CA


And then a load of stuff that all looks fine. That is the root certificate, is it not? It says RootCA on it, after all.



Oh yes, and if I feed that certificate in, with



openssl s_client -connect domain.com:636 -CAfile file.pem



I do get a different error message:




Verify return code: 2 (unable to get issuer certificate)



So this feels like I have one certificate but not the other.



I did get another one using nmap --ssl-cert but I don't seem to be able to get anything other than error code 20 with that.

linux - Out of disk space on 4GB partiton yet it's only using 2GB



I'm running Ubuntu and have had a problem where the root partition has run out of disk space.




When I perform df -h I get the following:



Filesystem            Size  Used Avail Use% Mounted on
/dev/sda6 4.6G 4.5G 0 100% /


Yet there are only 2GB of files actually using up this partition. I then ran the following df -i and I get the following:



Filesystem            Inodes   IUsed   IFree IUse% Mounted on

/dev/sda6 305824 118885 186939 39% /


I have no idea what the -i flag does but it clearly shows that only 39% is used.



Can anyone explain where my disk space has gone?


Answer



You probably have a process keeping a file open that's been deleted. Deleted but open files keep consuming disk space, but don't show up in du or ls. "df -i" is a red herring, it just shows you how many files you have, or more technically, how many inodes.



If you can't figure out what process is holding a big (deleted) file open, and chances are it's a zombie or something hung, it might be time for a reboot.



Tuesday, September 19, 2017

Move primary domain hosting from GoDaddy, but keep email & subdomains there w/ non-GoDaddy registrar



Given a domain registered through DotRegistrar, with GoDaddy as the current host (shared hosting) I need to figure out how to move the hosting for the primary domain to another hosting provider (Force.com) but continue to use GoDaddy for email and for one or more subdomains to serve large media files that we can't store in Force.com.



Currently, we're using GoDaddy's DNS servers, but since GoDaddy is not the registrar, we can't access their domain management system, and can only add subdomains through the hosting control panel.



I think I kinda' know what to do, but I want to make sure I really get it before I start reconfiguring things! Any advice would be appreciated.




I think the steps are roughly...




  1. Switch the primary DNS servers for the domain from GoDaddy's to DotRegistrar's.
    (perform remaining steps in DotRegistrar's DNS management system)

  2. Add a CNAME record to set the canonical name of {our-domain}.com. to {our-domain}.force.com.

  3. Add MX records for smtp.secureserver.net (priority 0) and mailstore1.secureserver.net (priority 10) to match what GoDaddy previously had for us.

  4. Add an A record for each subdomain that should be hosted at GoDaddy, pointing to the same IP address that the top-level domain was pointed to before by the GoDaddy DNS.




Does this look right? Are there any gotchas I need to be aware of?


Answer



You've covered things pretty well there, apart from the redirection of your domain.com address to force.com. According the the RFC's you should not use a CNAME for the root record of your domain, so what you should really be doing here is creating an A record for domain.com, that points to the IP of your hosting at force.com, and configure that to serve pages for that URL.


linux - Redhat 5.5: Multi-thread process only uses 1 CPU of the available 8

Weird situation:
Redhat Enterprise 5.5 (stock install, no updates, x64) on a HP z800 workstation.
(Dual Xeon 2,2 Ghz. 8 cores, 16 if you count Hyper-threading. RH sees 16 cores.)




We have an application that can utilize 1, 2 or 4 threads for heavy calculations.
Somehow all these threads run on the same core at 100% load (the other 15 cores are nearly idle) so there is absolutely no benefit from the extra threads.
In fact there is a slight slowdown as the threads get in each others way on the single core.



How do I get them to run on separate cores (if possible)? Application is 64 bit. Can't change anything about the software except changing the threads setting.
Is there some obscure Linux setting I can try to change? (I'm a True64 and Aix guy. I use Linux, but have no in depth knowledge of the process scheduling on Linux.)






/proc/cpuinfo list al 16. top en gnome cpu-monitor both indicate only 1 core is used. I tried something similar to that perl thing as well. We can load all CPU to nearly 100% if we want to.

Application vendor claims: Yes it is multi-threaded but it is not optimized yet. That will be the next version (in August).



So I think the application is doing sub-threading within it's own process-space in stead of proper real separate process threads. Really nothing I can do about it then....

Monday, September 18, 2017

domain name system - A records and CNAME records

I have a question about A records and cname records. Some info, we have our domain registered at Networksolutions.com, the domain name for example is company.com. We have two webserver and on those two webservers there are multiple websites for different customers. For all those different customers we have made A records who point to one of those servers. For example;



a.company.com - 192.168.0.1



b.company.com - 192.168.0.1



c.company.com - 192.168.0.2




d.company.com - 192.168.0.2



etc.



We now have so many A records, I cannot add anymore via the website and we have a problem, we have been in contact with Networksolutions and they tell us that we need to make a support ticket and they will add the A records.
This is not a solution for us. I have been reading some stuff and I think that cname records are a solution for us, but I am not familiar with it. Can someone help me out with this? How must I configure the cname records in order to reach the different websites for each customer.



Is this possible or is the only solution to let Networksolutions add the new A records.



Thanks in advance…

pci express - PCIe x8 NIC in PCIe x16 slot



I have a motherboard with only one x16 PCIe slot and no x8 slots. I am buying a NIC with very specific configuration, but it is available for x8 slots only. Can I plug a x8 card in a x16 slot? I have googled this question and this seems quite possible. However, I need answer from an expert. Also, are there any performance implications?


Answer



What should be: The PCIe spec states that all slots start at 1x/v1.0 and negotiate how many lanes they can use and what clock speed. It shouldn't matter which supports more lanes/clock, some slots are designed to take larger cards and smaller cards fit in larger slots. Whatever the highest spec both sides can communicate at (both the number of lanes and the clock/version), that is the speed that will be negotiated and used. Endpoints can support 1x, 2x, 4x, 8x, 16x, and 32x, though there are no slots specifically for 2x and 32x. Speed is specified by major version number (2.5, 5.0, 8, 16 GT/s).



What really is: Usually what should happen is what actually happens. But there are quite a few boards (especially enthusiast boards) that do not follow spec. Some motherboards will not use anything but a 16x video card in their first PCIe slot. Others will not auto-negotiate correctly (commonly falling back to less lanes - this seems particularly common with 2x cards that negotiate to 1x speed). In server grade hardware these problems are very rare, but it happens. If both the system/motherboard are from the same manufacturer as the card, you should be able to contact their support and find out if it's a supported configuration (if they don't know or can't answer it's a huge redflag and you should consider not buying from them/returning). Also, try searching your particular motherboard and see if anyone has reported a problem.


linux - Should /etc/hosts contain an entry like '127.0.0.1 localhost myhost.example.org myhost'?



When looking at a variety of Linux and FreeBSD systems, I've noticed that on some systems /etc/hosts contains an entry for the public hostname of the host, but not on other systemst.



What is the best practice here? Should my /etc/hosts file contain an entry for the hosts FQDN (e.g. myhost.example.org) and for the short hostname (e.g. myhost)? Should the record for the FQDN point to the localhost or should it point to the external IP of the box?



For example, the default configuration on many RHEL/EL boxes doesn't put the public hostname into /etc/hosts:



myhost # cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
myhost #


The other variant is that the host's short hostname and FQDN also point to 127.0.0.1. I've been told that this is an older practice which is frowned upon these days, but plenty of admins still do this.



myhost # cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 myhost myhost.example.org
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
myhost #



The third variant is that the hosts's FQDN and short hostname are given the external IP address of the host. This third varient seems optimal to me because it reduces lookups against the DNS servers.



myhost # cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
74.125.239.xxx myhost myhost.example.org
myhost #



What is the best practice here?


Answer



Are you willing to accept working DNS a point of failure in your environment or not. Some services/applications will fail in certain configurations if a system cannot resolve the local machine's name.



If you have an absolutely critical service that must be running in all situations, it isn't unusual to add a an entry in the hosts file so that service can continue to operate in the situation where DNS resolution fails.



If you can accept your DNS as a point of failure, or if your services don't fail in the case of broken resolution, configuration entries in the hosts file can be avoided.



I strongly suggest you make your DNS servers as rock solid as possible, and if you must configure your hosts file, use a configuration management system to do it. You really should avoid manually avoid touch a hosts file.



Sunday, September 17, 2017

iis 7.5 - Can you prevent IIS7/8 from monitoring UNC paths for web.config changes?




I have a web server which loads imagery from UNC filesystems for each site. These are added as a virtual directory for each site. These filesystems can contain thousands of folders and it appears that IIS is monitoring each folder for changes, which means the server eventually runs out of file handles for the UNC filesystem. I've increased the number, but this only puts off the issue. Is there a way of telling IIS not to monitor for changes on UNC filesystems?



I've looked at EnableChangeNotificationForUNC but there isn't an ASP entry under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ on the machine so I assume this is out of date.


Answer



For virtual directories there is the allowSubDirConfig property which defaults to true. This controls whether sub directories are checked for web.config files. Set the default to false or set it on a per virtual directory basis. Both are in the ApplicationHost.config file.






References:





Saturday, September 16, 2017

linux - Symbolic Link & LAMPP htdocs



I went through these steps in order to make a symlink directory to use outside of lampp htdocs.



$ mkdir test

$ chmod 777 test
//test is now in /home/Dropbox/test/
//I put an index.html with 777 perms in it.
$ cd /opt/lampp/htdocs/
$ sudo ln -s /home/Dropbox/test/ /opt/lampp/htdocs/$USER
//my user appears as symlink directory in htdocs.
$ /opt/lampp/lampp stop
$ /opt/lampp/lampp start
//lampp is now restarted



I type in localhost/myusername and get a 404 error... object not found.



Note that I can create regular directories and .html/.php files in the htdocs directory, but I cannot do any symlink directories or .html/.php files, they will not load.



Thank you for input!



httpd conf (only the parts involving SymLinks)





Options FollowSymLinks
AllowOverride None
#XAMPP
#Order deny,allow
#Deny from all



#

# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.

#
#Options Indexes FollowSymLinks
# XAMPP
Options Indexes FollowSymLinks ExecCGI Includes


#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit

#
#AllowOverride None
# since XAMPP 1.4:
AllowOverride All


#
# Controls who can get stuff from this server.
#
Order allow,deny

Allow from all






error_log



$ tail -f error_log 

[Fri Dec 23 13:55:50 2011] [error] [client 127.0.0.1] Symbolic link not allowed or link target not accessible: /opt/lampp/htdocs/*myusername*
[Fri Dec 23 13:56:02 2011] [notice] caught SIGTERM, shutting down
[Fri Dec 23 13:56:08 2011] [notice] suEXEC mechanism enabled (wrapper: /opt/lampp/bin/suexec)
[Fri Dec 23 13:56:08 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Dec 23 13:56:08 2011] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Fri Dec 23 13:56:08 2011] [notice] Digest: generating secret for digest authentication ...
[Fri Dec 23 13:56:08 2011] [notice] Digest: done
[Fri Dec 23 13:56:09 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Dec 23 13:56:09 2011] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Fri Dec 23 13:56:09 2011] [notice] Apache/2.2.21 (Unix) DAV/2 mod_ssl/2.2.21 OpenSSL/1.0.0c PHP/5.3.8 mod_apreq2-20090110/2.7.1 mod_perl/2.0.5 Perl/v5.10.1 configured -- resuming normal operations





access_log



$ tail -f access_log 
127.0.0.1 - - [23/Dec/2011:13:41:27 -0500] "GET /work HTTP/1.1" 403 1111
127.0.0.1 - - [23/Dec/2011:13:41:27 -0500] "GET /work HTTP/1.1" 403 1111
127.0.0.1 - - [23/Dec/2011:13:41:28 -0500] "GET /work HTTP/1.1" 403 1111

127.0.0.1 - - [23/Dec/2011:13:55:47 -0500] "GET / HTTP/1.1" 302 -
127.0.0.1 - - [23/Dec/2011:13:55:47 -0500] "GET /xampp/ HTTP/1.1" 200 588
127.0.0.1 - - [23/Dec/2011:13:55:47 -0500] "GET /xampp/head.php HTTP/1.1" 200 1362
127.0.0.1 - - [23/Dec/2011:13:55:47 -0500] "GET /xampp/navi.php HTTP/1.1" 200 2290
127.0.0.1 - - [23/Dec/2011:13:55:47 -0500] "GET /xampp/start.php HTTP/1.1" 200 786
127.0.0.1 - - [23/Dec/2011:13:55:47 -0500] "GET /favicon.ico HTTP/1.1" 200 30894
127.0.0.1 - - [23/Dec/2011:13:55:50 -0500] "GET /work HTTP/1.1" 403 1111





Permissions of /opt/lampp/htdocs/



drwxr-xr-x 4 nobody root 4096 2011-12-23 13:32 htdocs





Permissions of /opt/lampp/htdocs/*myusername*



lrwxrwxrwx 1 root root 39 2011-12-23 13:12 myusername






Permissions of /home/Dropbox/test/



drwxr-xr-x 2 work work 4096 2011-12-23 13:10 myusername


Answer



This would suggest that the FollowSymLinks is is not present within stanza. Here is an example, taken from here:





Options Indexes FollowSymLinks



Pending verification of apache configuration, (which I think you should paste in), this is the most likely answer.



EDIT: After reading your response to embobo, I went and replicated the problem with my server:



[Fri Dec 23 23:03:58 2011] [error] [client 192.168.15.20] Symbolic link not allowed or link target not accessible: /var/www/html/testsym



I suggest the following settings on test's parent



chmod go+x /home/Dropbox


So that the Dropbox directory can have execute permissions for group and other.


Friday, September 15, 2017

Dell PowerEdge: powersaving BIOS settings differences




I'm closing in on purchasing a Dell PowerEdge R710 rack server and am curious to know the difference between Dell's power saving bios setting and their performance bios setting. Should I be concerned about choosing the power saving setting? I'll be using this rack for terminal services and definitely want performance when performance is needed. That being said, for the other 3/4's of the day when employees have gone home I'd prefer it if this server wasn't running at 110%.



Thanks in advance.


Answer



I don't know the details but the R710 has a BIOS Power/Performance options page. In it you can select to turn on and off features which will either save power and boost performance.



You can change these settings so I wouldn't worry about it.


How to make your apache application accessible within network

I have a Windows XP machine where I have installed WAMP and made a PHP based web application. I can access the web application from within this machine by using the browser and pointing to: http://localhost/myApp/ --- and the page loads fine.



Now I want this site (http://localhost/myApp) to be accessible to all machines within the network (and may be later, to the general public as well). I am quite new to this, how do I make my site accessible to all machines within the network and to the general public in the internet?



I tried modifying the httpd.conf file in Apache (WAMP) by changing
Listen 80 to Listen 10.10.10.10:80 (where I replaced 10.10.10.10 with the actual IP of this windows xp machine). I also tried "Put Online" feature in WAMP. None seem to work though.



How do I make it accessible?

Thursday, September 14, 2017

domain name system - Does "~all" in the middle of an SPF record signal the end of the record when it is parsed?



Our company's SPF record format is as follows:



"v=spf1 include:_spf.google.com ~all a mx ip4:X.X.0.0/23 include:spf.example.com ?all"



So we have an "~all" in the middle of our SPF record. On the openspf.com website, they say this regarding the "all" mechanism:





This mechanism always matches. It usually goes at the end of the SPF
record.




So, they don't say "all" HAS to go at the end of the SPF record, but that it USUALLY goes at the end.



At our company, lately we've been seeing some soft fails in emails sent from servers listed in our SPF record, yet our SPF record passes all validation tools I've found so far.



What I'm wondering is, would this "~all" directly after the include for Google Apps (_spf.google.com) cause parsing to stop and not recognize the remaining pieces of the SPF record? Would passing vs. soft-failing depend on who is parsing it and their specific implementation of how they process SPF records? Is there any reason to have an "all" mechanism that is not at the end of an SPF record?




And yes, I know we could just change our SPF record. This question is more about clarifying how this all works and not necessarily about resolving our specific situation.


Answer



RFC 7208 § 5.1 is explicit about this: after all appears, everything after it MUST be ignored.




Mechanisms after "all" will never be tested. Mechanisms listed after "all" MUST be ignored. Any "redirect" modifier (Section 6.1) MUST be ignored when there is an "all" mechanism in the record, regardless of the relative ordering of the terms.




The RFC it obsoleted, RFC 4408, said much the same thing; the newer version of the RFC simply clarifies the intention.





Mechanisms after "all" will never be tested. Any "redirect" modifier (Section 6.1) has no effect when there is an "all" mechanism.




So, conforming implementations of SPF will completely ignore everything after the first ~all. This doesn't mean, however, that every implementation conforms to the spec. In particular, this was probably thought worthy of clarification precisely because one or more implementations did not conform.



It's not at all clear why an online validation tool would not catch this misconfiguration, but if you intend for anything after the first all to be used, you should correct the record, as proper implementations will ignore it.


windows server 2012 - Internal DNS fails when backup DNS goes offline

All machines are running Windows Server 2012.



We have a Domain Controller, DC1, that is also our primary DNS server. We have a secondary DNS server, DNS2.




All servers and desktops in the environment (60+) use DC1 as their primary DNS. All servers also use DNS2 as their secondary DNS. DC1 uses DNS2 as its primary DNS with loopback as secondary. DNS2 uses DC1 as primary and loopback as secondary. DC1 is set to notify DNS2 on changes for Zone Transfers. All desktop machines in the environment use DHCP. All servers have static IPs.



DNS2 is having an issue with its NIC that causes it to lose network connectivity. When that happens, all internal DNS resolutions immediately fail on all desktops and servers for 15-30 seconds. We're working on fixing the connectivity issue, but shouldn't DNS successfully resolve if the secondary is offline?

Proxy SSH to hide endpoints

Has anyone done SSH proxying that is transparent to the user, but the end host they are routed to is determined by any of the following: username, identity key, DNS hostname. I guess DNS hostname isn't possible with the protocol, but it could use the identity key.



For example, I want users to be able to all SSH to the same machine, but they end up on different VPS nodes: ssh -i identity_rsa user@example.com.



There are a few very nice features of doing this:





  1. The RSA host key is the same no matter what VPS you SSH into.

  2. The hostname could be the same, or (dubious) it could route on subdomain names. I'm not sure if this is in the protocol or it only uses the IP address to connect to a TCP socket.

  3. Zero configuration on the client side (proxy commands, multiple ssh tunnels, etc)

  4. All traffic is funneled through a gateway.



I'm worried this requires a custom (legitimate) MitM SSH server, because I want a normal end-to-end SSH connection that can do SCP and agent-forwarding.




Can agent forwarding work with forced commands? Could I create forced commands based on the public key, call SSH -A to the inside host?

Tuesday, September 12, 2017

networking - How do VLANs work?



What are VLANs? What problems do they solve?



I'm helping a friend learn basic networking, as he's just become the sole sysadmin at a small company. I've been pointing him at various questions/answers on Serverfault relating to various networking topics, and noticed a gap - there doesn't appear to be an answer which explains from first principles what VLANs are. In the spirit of How does Subnetting Work, I thought it would be useful to have a question with a canonical answer here.



Some potential topics to cover in an answer:





  • What are VLANs?

  • What problems were they intended to solve?

  • How did things work before VLANs?

  • How do VLANs relate to subnets?

  • What are SVIs?

  • What are trunk ports and access ports?

  • What is VTP?




EDIT: to be clear, I already know how VLANs work - I just think that Serverfault should have an answer that covers these questions. Time permitting, I'll be submitting my own answer as well.


Answer



Virtual LANs (VLANs) are an abstraction to permit a single physical network to emulate the functionality of multiple parallel physical networks. This is handy because there may be situations where you need the functionality of multiple parallel physical networks but you'd rather not spend the money on buying parallel hardware. I'll be speaking about Ethernet VLANs in this answer (even though other networking technologies can support VLANs) and I won't be diving deeply into every nuance.



A Contrived Example and a Problem



As a purely contrived example scenario, imagine you own an office building that you lease to tenants. As a benefit of the lease, each tenant will get live Ethernet jacks in each room of the office. You buy a Ethernet switch for each floor, wire them up to jacks in each office on that floor, and wire all the switches together.



Initially, you lease space to two different tenants-- one on the floor 1 and one on 2. Each of these tenants configures their computers w/ static IPv4 addresses. Both tenants use different TCP/IP subnets and everything seems to work just fine.




Later, a new tenant rents half of floor 3 and brings up one of these new-fangled DHCP servers. Time passes and the 1st floor tenant decides to jump on the DHCP bandwagon, too. This is the point when things start to go awry. The floor 3 tenants report that some of their computers are getting "funny" IP addresses from a machine that isn't their DHCP server. Soon, the floor 1 tenants report the same thing.



DHCP is a protocol that takes advantage of the broadcast capability of Ethernet to allow client computers to obtain IP addresses dynamically. Because the tenants are all sharing the same physical Ethernet network they share the same broadcast domain. A broadcast packet sent from any computer in the network will flood out all the switch ports to every other computer. The DHCP servers on floors 1 and 3 will receive all requests for IP address leases and will, effectively, duel to see who can answer first. This is clearly not the behavior you intend your tenants to experience. This is the behavior, though, of a "flat" Ethernet network w/o any VLANs.



Worse still, a tenant on floor 2 acquires this "Wireshark" software and reports that, from time to time, they see traffic coming out of their switch that references computers and IP addresses that they've never heard of. One of their employees has even figured out that he can communicate with these other computers by changing the IP address assigned to his PC from 192.168.1.38 to 192.168.0.38! Presumably, he's just a few short steps away from performing "unauthorized pro-bono system administration services" for one of the other tenants. Not good.



Potential Solutions



You need a solution! You could just pull the plugs between the floors and that would cut off all unwanted communication! Yeah! That's the ticket...




That might work, except that you have a new tenant who will be renting half of the basement and the unoccupied half of floor 3. If there isn't a connection between the floor 3 switch and the basement switch the new tenant won't be able to get communication between their computers that will be spread around both of their floors. Pulling the plugs isn't the answer. Worse still, the new tenant is bringing yet another one of these DHCP servers!



You flirt with the idea of buying physically separate sets of Ethernet switches for each tenant, but seeing as how your building has 30 floors, any of which can be subdivided up to 4 ways, the potential rats nest of floor-to-floor cables between massive numbers of parallel Ethernet switches could be a nightmare, not to mention expensive. If only there was a way to make a single physical Ethernet network act like it was multiple physical Ethernet networks, each with its own broadcast domain.



VLANs to the Rescue



VLANs are an answer to this messy problem. VLANs permit you to subdivide an Ethernet switch into logically disparate virtual Ethernet switches. This allows a single Ethernet switch to act as though it's multiple physical Ethernet switches. In the case of your subdivided floor 3, for example, you could configure your 48 port switch such that the lower 24 ports are in a given VLAN (which we'll call VLAN 12) and the higher 24 ports are in a given VLAN (which we'll call VLAN 13). When you create the VLANs on your switch you'll have to assign them some type of VLAN name or number. The numbers I'm using here are mostly arbitrary, so don't worry about what specific numbers I choose.



Once you've divided the floor 3 switch into VLANs 12 and 13 you find that the new floor 3 tenant can plug in their DHCP server to one of the ports assigned to VLAN 13 and a PC plugged into a port assigned to VLAN 12 doesn't get an IP address from the new DHCP server. Excellent! Problem solved!




Oh, wait... how do we get that VLAN 13 data down to the basement?



VLAN Communication Between Switches



Your half-floor 3 and half-basement tenant would like to connect computers in the basement to their servers on floor 3. You could run a cable directly from one of the ports assigned to their VLAN in the floor 3 switch to the basement and life would be good, right?



In the early days of VLANs (pre-802.1Q standard) you might do just that. The entire basement switch would be, effectively, part of VLAN 13 (the VLAN you've opted to assign to the new tenant on floor 3 and the basement) because that basement switch would be "fed" by a port on floor 3 that's assigned to VLAN 13.



This solution would work until you rent the other half of the basement to your floor 1 tenant who also wants to have communication between their 1st floor and basement computers. You could split the basement switch using VLANs (into, say, VLANS 2 and 13) and run a cable from floor 1 to a port assigned to VLAN 2 in the basement, but you better judgement tells you that this could quickly become a rat's nest of cables (and is only going to get worse). Splitting switches using VLANs is good, but having to run multiple cables from other switches to ports which are members of different VLANs seems messy. Undoubtedly, if you had to divide the basement switch 4 ways between tenants who also had space on higher floors you'd use 4 ports on the basement switch just to terminate "feeder" cables from upstairs VLANs.




It should now be clear that some type of generalized method of moving traffic from multiple VLANs between switches on a single cable is needed. Just adding more cables between switches to support connections between different VLANs isn't a scalable strategy. Eventually, with enough VLANs, you'll be eating up all the ports on your switches with these inter-VLAN / inter-switch connections. What's needed is a way to carry the packets from multiple VLANs along a single connection-- a "trunk" connection between switches.



Up to this point, all the switch ports we've talked about are called "access" ports. That is, these ports are dedicated to accessing a single VLAN. The devices plugged into these ports have no special configuration themselves. These devices don't "know" that any VLANs are present. Frames the client devices send are delivered to the switch which then takes care of making sure that the frame is only sent to ports assigned as members of the VLAN assigned to the port where the frame entered the switch. If a frame enters the switch on a port assigned as a member of VLAN 12 then the switch will only send that frame out ports that are members of VLAN 12. The switch "knows" the VLAN number assigned to a port from which it receives a frame and somehow knows to only deliver this frame out ports of the same VLAN.



If there were some way for a switch to share the VLAN number associated with a given frame to other switches then the other switch could properly handle delivering that frame only to the appropriate destination ports. This is what the 802.1Q VLAN tagging protocol does. (It's worth noting that, prior to 802.1Q, some vendors made up their own standards for VLAN tagging and inter-switch trunking. For the most part these pre-standard methods have all been supplanted by 802.1Q.)



When you have two VLAN-aware switches connected to each other and you want those switches to deliver frames between each other to the proper VLAN you connect those switches using "trunk" ports. This involves changing the configuration of a port on each switch from "access" mode to "trunk" mode (in a very basic configuration).



When a port is configured in trunk mode each frame that the switch sends out that port will have a "VLAN tag" included in the frame. This "VLAN tag" wasn't part of the original frame that the client sent. Rather, this tag is added by the sending switch prior to sending the frame out the trunk port. This tag denotes the VLAN number associated with the port from which the frame originated.




The receiving switch can look at the tag to determine which VLAN the frame originated from and, based on that information, forward the frame out only ports that are assigned to the originating VLAN. Because the devices connected to "access" ports aren't aware that VLANs are being used the "tag" information must be stripped from the frame before it's sent out a port configured in access mode. This stripping of the tag information causes the entire VLAN trunking process to be hidden from client devices since the frame they receive will not bear any VLAN tag information.



Before you configure VLANs in real life I'd recommend configuring a port for trunk mode on a test switch and monitoring the traffic being sent out that port using a sniffer (like Wireshark). You can create some sample traffic from another computer, plugged into an access port, and see that the frames leaving the trunk port will, in fact, be larger than the frames being send by your test computer. You'll see the VLAN tag information in the frames in Wireshark. I find that it's worth actually seeing what happens in a sniffer. Reading up on the 802.1Q tagging standard is also a decent thing to do at this point (especially since I'm not talking about things like "native VLANs" or double-tagging).



VLAN Configuration Nightmares and the Solution



As you rent more and more space in your building the number of VLANs grows. Each time you add a new VLAN you find that you have to logon to increasingly more Ethernet switches and add that VLAN to the list. Wouldn't it be great if there were some method by which you could add that VLAN to a single configuration manifest and have it automatically populate the VLAN configuration of each switch?



Protocols like Cisco's proprietary "VLAN Trunking Protocol" (VTP) or the standards-based "Multiple VLAN Registration Protocol" (MVRP-- previously spelled GVRP) fulfill this function. In a network using these protocols a single VLAN creation or deletion entry results in protocol messages being sent to all switches in the network. That protocol message communicates the change in VLAN configuration to the rest of the switches which, in turn, modify their VLAN configurations. VTP and MVRP aren't concerned with which specific ports are configured as access ports for specific VLANs, but rather are useful in communicating the creation or deletion of VLANs to all the switches.




When you've gotten comfortable with VLANs you'll probably want to go back and read about "VLAN pruning", which is associated with protocols like VTP and MVRP. For now it's nothing to be tremendously concerned with. (The VTP article on Wikipedia has a nice diagram that explains VLAN pruning and the benefits therewith.)



When Do You Use VLANs In Real Life?



Before we go much further it's important to think about real life rather than contrived examples. In lieu of duplicating the text of another answer here I'll refer you to my answer re: when to create VLANs. It's not necessarily "beginner-level", but it's worth taking a look at now since I'm going to make reference to it briefly before moving back to a contrived example.



For the "tl;dr" crowd (who surely have all stopped reading at this point, anyway), the gist of that link above is: Create VLANs to make broadcast domains smaller or when you want to segregate traffic for some particular reason (security, policy, etc). There aren't really any other good reasons to use VLANs.



In our example we're using VLANs to limit broadcast domains (to keep protocols like DHCP working right) and, secondarily, because we want isolation between the various tenants' networks.




An Aside re: IP Subnets and VLANs



Generally speaking there is a typically a one-to-one relationship between VLANs and IP subnets as a matter of convenience, to facilitate isolation, and because of how the ARP protocol works.



As we saw at the beginning of this answer two different IP subnets can be used on the same physical Ethernet without issue. If you're using VLANs to shrink broadcast domains you won't want to share the same VLAN with two different IP subnets since you'll be combining their ARP and other broadcast traffic.



If you're using VLANs to segregate traffic for security or policy reasons then you also probably won't want to combine multiple subnets in the same VLAN since you'll be defeating the purpose of isolation.



IP uses a broadcast-based protocol, Address Resolution Protocol (ARP), to map IP addresses onto physical (Ethernet MAC) addresses. Since ARP is broadcast based, assigning different parts of the same IP subnet to different VLANs would be problematic because hosts in one VLAN wouldn't be able to receive ARP replies from hosts in the other VLAN, since broadcasts aren't forwarded between VLANs. You could solve this "problem" by using proxy-ARP but, ultimately, unless you have a really good reason to need to split an IP subnet across multiple VLANs it's better not to do so.




One Last Aside: VLANs and Security



Finally, it's worth noting that VLANs aren't a great security device. Many Ethernet switches have bugs that permit frames originating from one VLAN to be sent out ports assigned to another VLAN. Ethernet switch manufacturers have worked hard to fix these bugs, but it's doubtful that there will ever be a completely bug free implementation.



In the case of our contrived example the floor 2 employee who is moments away from providing free systems administration "services" to another tenant might be stopped from doing so by isolating his traffic into a VLAN. He might also figure out how to exploit bugs in the switch firmware, though, to allow his traffic to "leak" out onto another tenant's VLAN as well.



Metro Ethernet providers are relying, increasingly, on VLAN tagging functionality and the isolation that switches provide. It's not fair to say that there's no security offered by using VLANs. It is fair to say, though, that in situations with untrusted Internet connections or DMZ networks it's probably better to use physically separate switches to carry this "touchy" traffic rather than VLANs on switches that also carry your trusted "behind the firewall" traffic.



Bringing Layer 3 into the Picture




So far everything this answer has talked about relates to layer 2-- Ethernet frames. What happens if we start bringing layer 3 into this?



Let's go back to the contrived building example. You've embraced VLANs opted to configure each tenant's ports as members of separate VLANs. You've configured trunk ports such that each floor's switch can exchange frames tagged with the originating VLAN number to the switches on the floor above and below. One tenant can have computers spread across multiple floors but, because of your adept VLAN configuring skills, these physically distributed computers can all appear to be part of the same physical LAN.



You're so full of your IT accomplishments that you decide to start offering Internet connectivity to your tenants. You buy a fat Internet pipe and a router. You float the idea to all your tenants and two of them immediately buy-in. Luckily for you your router has three Ethernet ports. You connect one port to your fat Internet pipe, another port to a switch port assigned for access to the first tenant's VLAN, and the other to a port assigned for access to the second tenant's VLAN. You configure your router's ports with IP addresses in each tenant's network and the tenants start accessing the Internet through your service! Revenue increases and you're happy.



Soon, though, another tenant decides to get onto your Internet offering. You're out of ports on your router, though. What to do?



Fortunately you bought a router that supports configuring "virtual sub-interfaces" on its Ethernet ports. In short this functionality allows the router to receive and interpret frames tagged with originating VLAN numbers, and to have virtual (that is, non-physical) interfaces configured with IP addresses appropriate for each VLAN it will communicate with. In effect this permits you to "multiplex" a single Ethernet port on the router such that it appears to function as multiple physical Ethernet ports.




You attach your router to a trunk port on one of your switches and configure virtual sub-interfaces corresponding to each tenant's IP addressing scheme. Each virtual sub-interface is configured with the VLAN number assigned to each Customer. When a frame leaves the trunk port on the switch, bound for the router, it will carry a tag with the originating VLAN number (since it's a trunk port). The router will interpret this tag and treat the packet as though it arrived on a dedicated physical interface corresponding to that VLAN. Likewise, when the router sends a frame to the switch in response to a request it will add a VLAN tag to the frame such that the switch knows to which VLAN the response frame should be delivered. In effect, you've configured the router to "appear" as a physical device in multiple VLANs while only using a single physical connection between the switch and the router.



Routers on Sticks and Layer 3 Switches



Using virtual sub-interfaces you've been able to sell Internet connectivity to all your tenants without having to buy a router that has 25+ Ethernet interfaces. You're fairly happy with your IT accomplishments so you respond positively when two of your tenants come to you with a new request.



These tenants have opted to "partner" on a project and they want to allow access from client computers in one tenant's office (one given VLAN) to a server computer in the other tenant's office (another VLAN). Since they're both Customers of your Internet service it's a fairly simple change of an ACL in your core Internet router (on which there is a virtual sub-interface configured for each of these tenant's VLANs) to allow traffic to flow between their VLANs as well as to the Internet from their VLANs. You make the change and send the tenants on their way.



The next day you receive complaints from both tenants that access between the client computers in one office to the server in the second office is very slow. The server and client computers both have gigabit Ethernet connections to your switches but the files only transfer at around 45Mbps which, coincidentally, is roughly half of the speed with which your core router connects to its switch. Clearly the traffic flowing from the source VLAN to the router and back out from the router to the destination VLAN is being bottlenecked by the router's connection to the switch.




What you've done with your core router, allowing it to route traffic between VLANs, is commonly known as "router on a stick" (an arguably stupidly whimsical euphemism). This strategy can work well, but traffic can only flow between the VLANs up to the capacity of the router's connection to the switch. If, somehow, the router could be conjoined with the "guts" of the Ethernet switch itself it could route traffic even faster (since the Ethernet switch itself, per the manufacturer's spec sheet, is capable of switching over 2Gbps of traffic).



A "layer 3 switch" is an Ethernet switch that, logically speaking, contains a router buried inside itself. I find it tremendously helpful to think of a layer 3 switch as having a tiny and fast router hiding inside the switch. Further, I would advise you to think about the routing functionality as a distinctly separate function from the Ethernet switching function that the layer 3 switch provides. A layer 3 switch is, for all intents and purposes, two distinct devices wrapped up in a single chassis.



The embedded router in a layer 3 switch is connected to the switch's internal switching fabric at a speed that, typically, allows for routing of packets between VLANs at or near wire-speed. Analogously to the virtual sub-interfaces you configured on your "router on a stick" this embedded router inside the layer 3 switch can be configured with virtual interfaces that "appear" to be "access" connections into each VLAN. Rather than being called virtual sub-interfaces these logical connections from the VLANs into the embedded router inside a layer 3 switch are called Switch Virtual Interfaces (SVIs). In effect, the embedded router inside a layer 3 switch has some quantity of "virtual ports" that can be "plugged in" to any of the VLANs on the switch.



The embedded router performs the same way as a physical router except that it typically doesn't have all of the same dynamic routing protocol or access-control list (ACL) features as a physical router (unless you've bought a really nice layer 3 switch). The embedded router has the advantage, however, of being very fast and not having a bottleneck associated with a physical switch port that it's plugged into.



In the case of our example here with the "partnering" tenants you might opt to obtain a layer 3 switch, plug it into trunk ports such that traffic from both Customers VLANs reaches it, then configure SVIs with IP addresses and VLAN memberships such that it "appears" in both Customers VLANs. Once you've done that it's just a matter of tweaking the routing table on your core router and the embedded router in the layer 3 switch such that traffic flowing between the tenants' VLANs is routed by the embedded router inside the layer 3 switch versus the "router on a stick".




Using a layer 3 switch doesn't mean that there still won't be bottlenecks associated with the bandwidth of the trunk ports that interconnect your switches. This is an orthogonal concern to those that VLANs address, though. VLANs have nothing to do with bandwidth problems. Typically bandwidth problems are solved by either obtaining higher-speed inter-switch connections or using link-aggregation protocols to "bond" several lower-speed connections together into a virtual higher-speed connection. Unless all the devices creating frames to be routed by the embedded router inside the later 3 switch are, themselves, plugged into ports directly on the layer 3 switch you still need to worry about the bandwidth of the trunks between the switches. A layer 3 switch isn't a panacea, but it's typically faster than a "router on a stick".



Dynamic VLANs



Lastly, there is a function in some switches to provide dynamic VLAN membership. Rather than assigning a given port to be an access port for a given VLAN the port's configuration (access or trunk, and for which VLANs) can be altered dynamically when a device is connected. Dynamic VLANs are a more advanced topic but knowing that the functionality exists can be helpful.



The functionality varies between vendors but typically you can configure dynamic VLAN membership based on the MAC address of the connected device, 802.1X authentication status of the device, proprietary and standards-based protocols (CDP and LLDP, for example, to allow IP phones to "discover" the VLAN number for voice traffic), IP subnet assigned to the client device, or Ethernet protocol type.


linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...